Google Cloud Apps Admins

Don't Make everyone a Super Admin - Understand privileges for GSuite Apps Admins

Written by Joey Allen (GCP Apps Admin) | October 14, 2016

When you use GSuite for a business, you're going to need administrators, specifically Super Admins. Super administrators cover everything within the parameters of your administrator system within GSuite, however it is important to understand that having too many can be a hassle. There are other administrative roles set for some of your users, some premade by Google, and there are custom roles that can be created to fit the needs of your organization. We at Coolhead Tech are here to elaborate upon the many privileges that other administrative roles can use.

 

Here's a list of useful GSuite Apps admin privileges:

These roles will be explained as to what they do, but here's just a general list of what will be covered in this article:

  • Organization Units
  • Users
  • Groups
  • Domain Settings
  • Reports
  • Security > User Security Management
  • Security > Security Settings
  • Support
  • Services
  • Chrome
  • Chromebox for meetings
  • Email
  • Drive
  • Mobile
  • Shared Device Settings > Setup Networks
  • Admin API

 

Admin Privileges in GSuite, Explained:

 

Organization Units for GSuite

 

Admins with privileges over Organization units may manage your business' account structure, such as the ability to modify organizations, view your organization list, add, move and/or delete organizations. Do note that assigning this role to a user also assigns corresponding Admin API rights.

 

Users and Groups

 

The Users privilege allows administrators perform actions over users who aren't admins. This privileges boasts a wide amount of options that are available to admins such as:

  • View user list, create a user, rename users, move users, reset passwords, force password change, add/remove alias, suspend users, delete users, view user profile, view enable services, view groups, view licenses, view security settings, view admin roles, and view devices.

The Groups privilege allows an admin full control over any Google Group(s) within your Admin console. This privilege allows an admin to:

  • View user profiles and your account's organizational structure, create new groups, manage members within these groups, manage group access settings, and remove groups from the console.

 

Domain Settings and Reports

 

The Domain settings privilege allows admins to perform various account wide activities such as:

  • The ability to change your organization's name, common language, the logo and time-zone, the ability to read finance statements for your Google for Work accounts, add and delete domains and domain aliases, update contact information for any password recovery, delete your Google for Work account, manage your feature release process, and choose any communications preferences.

With the Reports privilege, your admins and review usage reports and audit logs, view graphs depicted with service use, track user activities such as document edits and track changes made by other administrators.

 

 

GSuite User Security Management and Security Settings

 

Admins with privileges over user security management have the ability to manage security settings for individual users. Their actions are as follows:

  • Enforce or disable 2-step verification for a particular user (only super administrators), monitor password strength, disable a user's login challenge for ten minutes, review and revoke a user's security keys, check and remove any app passwords and review and remove any 3-legged OAuth tokens they've applied to third-party apps.

With the Security Settings privilege, admins can manage general security settings that apply to all users.

 

 

Support and Services privileges in GSuite

 

The Support privilege grants access to information for contacting Google work for Apps support. The Services privilege gives full control over services and devices within your business' account. They can take the following actions:

  • Turn services on or off, change settings and permissions, create custom service addresses, and manage chrome and mobile devices listed within your console.

 

Chrome Device specific privileges

 

There are device specific admin privileges such as Email, Drive, Chrome, Mobile and Chromebox for meetings.

  • Chrome privileges
    • Chrom privileges allow admins to mage settings for enrolled Chrome devices
  • Chromebox for meetings
    • This privilege allows users with super admin rights to create user roles and assing privileges specific to Chromebox for meetings.
  • Email privileges
    • Allows managing all settings for Gmail services in your organization.
  • Drive privileges
    • Manages your organization's Google Drive service.
  • Mobile privileges
    • Allows full control over mobile devices listed in your Admin console.

 

Shared Device Settings ; Setup Networks and Admin API

 

Admins with privileges to Setup networks can build a VPN, Wi-Fi, and set up Ethernet for mobile, Google Chrome, and Chromebox for meetings devices.

 

The Admin API allows GSuite Admin API for administrators to perform actions on Google Groups, organization units, User accounts and user security settings.

 

Remember to assign these privileges sparingly!

GSuite can become really specific with roles, as you have learned. Remember to not make everyone a Super Admin! By understand this privileges, you can appropriately assign roles to your users!

 

If you have any concerns or need advice for anything GSuite related, please visit our blog at Coolhead Tech! We're always happy to provide professional assistance and information on topics such as these!